You've hopefully heard about the benefits of two-factor authentication. Requiring something beyond just a password to unlock your online accounts makes them much harder to break into.
However, two-factor authentication comes in several forms, with some faring better than others. When you have an option, which should you choose? Let's look at the pros and cons of two-factor authentication methods to find out.
Two-Factor Authentication vs. Two-Step Authentication
Before diving in, let's take a quick moment to clear up the differences between two-factor authentication and two-step authentication. They're similar, but not identical.
Two-factor authentication is when you protect an account with two different types of authorization methods. A factor can be one of the following:
- Something you know: This includes a piece of information, like a password or security question.
- Something you have: For example, your smartphone or another physical device.
- Something you are: A factor unique to your body, such as your fingerprint or iris.
True two-factor authentication means you must unlock two checks from different factors before you can log in. If your account is protected by two locks of the same factor, this is called two-step authentication.
For example, a password and security question are both something you know, making this kind of authentication two-step but not two-factor. This still provides better protection than a password alone, but proper two-factor authentication is preferable.
Two-factor authentication is a type of two-step authentication, but it's not true the other way around.
Method 1: Security Questions
You're probably familiar with this method: when creating an account, you choose one or more security questions and set answers for each one. When logging into that account in the future, you have to provide the right answer to each question to validate your access.
Pros of Security Questions
Security questions are extremely easy to set up. Most of the time, the service provides a dropdown menu of questions---all you have to do is pick a few and give the answer. You don't need any other equipment or devices; the answer is stored in your head.
Cons of Security Questions
Many security question answers are easy to dig up. People can find information like your father's middle name or the street you grew up on in public records or on social media. It's also easy to accidentally divulge this sensitive info through social engineering, like phishing emails or phone calls.
To get around the weaknesses of security questions, you can enter a gibberish answer to effectively make it a second password. But you must be careful that you don't lose or forget that---storing it in your password manager is a good idea.
Method 2: SMS or Email Messages
For this type of two-factor authentication, you provide your mobile phone number when creating an account. When you want to log in, the service sends you a text message via SMS (or email, alternatively).
This has a temporary verification code that expires before long. You have to input the string to finish logging in.
Advantages of SMS Two-Step Authentication
SMS messages (and email) are convenient because nearly everyone has access to them. Usually the messages arrive instantly, or at most in a few minutes. If you ever lose your device, you can usually transfer your phone number to avoid getting permanently locked out.
Disadvantages of SMS Two-Step Authentication
You have to trust the service enough to share your phone number, as some disreputable services may use your number for advertising purposes. Another issue is that you can't receive the text containing your login code if you don't have cellular service.
Additionally, SMS and email are not secure communication methods. Hackers can intercept SMS texts without ever touching your phone, though it isn't easy.
Method 3: Time-Based One-Time Passwords (OTP)
With this authentication method, you use an authenticator app to scan a QR code that contains a secret key. Doing so loads the secret key into the app and generates temporary passwords that change regularly. After entering your password, you'll need to enter the code from your authenticator app to finish signing in.
Benefits of One-Time Passwords
Once you've added the account to your authenticator app, you don't need to have mobile service to access them. Since the secret key is stored on your device itself, it can't get intercepted like SMS can. And if you use certain authenticator apps, like Authy, you can sync your codes between multiple devices to avoid getting locked out.
Drawbacks of One-Time Passwords
If your phone runs out of battery, you won't be able to access your codes (though this is also true of SMS). Because the codes use the time to generate, there's potential for clocks to desync between your device and the service, which results in invalid codes. This is why you should always print the backup codes that services provide as an emergency login method.
While unlikely, if a hacker somehow cloned your secret key, they could generate their own valid codes at will. And if the service doesn't limit login attempts, hackers may still be able to compromise your account through sheer brute force.
Method 4: U2F Keys
Universal 2nd Factor (U2F) is an open standard that's used with USB devices, NFC devices, and smart cards. In order to authenticate, you simply plug in a USB key, bump an NFC device, or swipe a smart card.
Pros of U2F
A U2F key is a true physical factor. As long as you keep them physically secure, they can't be digitally intercepted or redirected. And unlike most two-factor methods, U2F keys are phishing-proof because they only work once you've registered them with a site. They are thus one of the most secure 2FA methods currently available.
Cons of U2F
U2F is a relatively new technology, so it isn't as widely supported as other choices. The other major drawback is inconvenience due to differing USB ports on your devices. For example, if you have a U2F key with a USB-A connector, it won't work on your Android device, iPhone, or newer MacBook without an adapter.
Higher-end U2F keys have built-in NFC so you can use them with mobile devices, but they're more expensive. While U2F keys start around $20, getting one that's rugged or includes NFC will cost more.
Method 5: Push Notification
Some two-factor authentication platforms provide an alternative method that's worth looking into. With this, after you enter your password, you receive a push notification on your device with some information about the login attempt. Simply tap Approve or Decline to respond to the request.
Benefits of Push Notifications
Push notifications are much more convenient than opening your authenticator app and copying down a code. They also contain information about who's trying to log in, such as the device type, IP address, and general location. This alerts you to any malicious login attempts as they happen.
Additionally, because the push notification is tied to your phone, there's no risk of a hacker copying down your secret code or stealing an SMS. This method requires you to physically have your device with you to log in.
Drawbacks of Push Notifications
Push notification authentication requires your phone to be connected to the internet. Thus, if you don't have a data connection and aren't connected to Wi-Fi, you won't get the login prompt.
Additionally, there's a risk of ignoring the information in the push and simply approving it without thinking. If you're not careful, this could lead to you granting access to someone who shouldn't have it.
Method 6: Biometrics (Face, Voice, or Fingerprint)
Facial recognition, voice recognition, and fingerprint scans all fall under the category of biometrics. Systems use biometric authentication when it's imperative that you really are who you say you are, often in areas that require security clearance (like government).
Advantages of Biometrics
Biometrics are extremely difficult to hack. Even a fingerprint, which is probably the easiest to copy, requires some kind of physical interaction.
Voice recognition would need some kind of statement said in your voice, and facial recognition would need something as drastic as plastic surgery. It isn't unbreakable, but it's pretty close.
Disadvantages of Biometrics
The biggest downside, which is the reason why biometrics are rarely used as a two-factor method, is that a compromised biometric is compromised for life. You can't change your fingerprint or face like you can a phone number.
Plus, most people aren't comfortable giving up their face, voice, or fingerprints to companies. Even if you did, the technology to use these factors properly would be too difficult to implement for everyday apps and services.
The Pros and Cons of Multi-Factor Authentication
Now that we've looked at the advantages and disadvantages of two-factor authentication methods, which one is the best? It depends on what you value most.
In general, these are our recommendations:
- For a balance, time-based one-time passwords using an authenticator app are the best. You must be careful about keeping backup codes in case you lose or break your device, though. Using Authy and signing in on multiple devices can help with this.
- For maximum security and privacy, U2F keys are the best. They can't be used to track you and you don't have to give up any personal information to use them. But U2F keys cost money and are often inconvenient.
- For convenience, SMS messages are the best. They have the potential to get intercepted and don't work when you have poor reception. However, they're quick, easy, and better than single-step authentication.
- If you have the option to use push notifications, they're worth trying. Just make sure you have a stable internet connection when using them, and always check the info in the prompt.
If you have a choice, don't ever rely on security questions as a two-factor method. When a site requires them, treat them like a second password and store your answers in a password manager. It's unwise to answer the questions directly.
Now that you know what method to use, follow our guide to enabling two-factor authentication on many popular websites.